From owner-freebsd-security  Tue Nov 13 10:32:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.hq.newdream.net (mail.hq.newdream.net [216.246.35.10])
	by hub.freebsd.org (Postfix) with ESMTP id 75D9937B405
	for <freebsd-security@FreeBSD.org>; Tue, 13 Nov 2001 10:32:26 -0800 (PST)
Received: from zugzug.hq.newdream.net (zugzug.hq.newdream.net [127.0.0.1])
	by ravscan.zugzug.hq.newdream.net (Postfix) with SMTP id 3889C3B394
	for <freebsd-security@FreeBSD.org>; Tue, 13 Nov 2001 10:32:26 -0800 (PST)
Received: by mail.hq.newdream.net (Postfix, from userid 1012)
	id 58A8F3B37C; Tue, 13 Nov 2001 10:32:25 -0800 (PST)
Date: Tue, 13 Nov 2001 10:32:25 -0800
From: Will Yardley <william@hq.newdream.net>
To: freebsd-security@FreeBSD.org
Subject: Re: Adore worm
Message-ID: <20011113103225.A1184@hq.newdream.net>
Mail-Followup-To: freebsd-security@FreeBSD.org
References: <XFMail.011113092233.jhb@FreeBSD.org> <5.1.0.14.2.20011114000437.02050a70@MailServer> <XFMail.011113092233.jhb@FreeBSD.org> <5.1.0.14.2.20011114005803.0207ed70@MailServer>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer>
User-Agent: Mutt/1.3.23i
Organization: New Dream Network
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Stefan Probst wrote:
> 
> Will go to bed now and pray.....
> I still can telnet to the box.

please don't telnet to your box with the root username, the name you use
to su to root from, or a username that has root access via the 'sudo'
facility.  this makes it easy for someone to sniff your unencrypted
traffic.  use ssh instead.

as someone mentioned, there's a telnetd exploit as well, which is most
likely how your box got rooted.

if you can POSSIBLY require your users to use ssh instead, you should do
so, as running telnetd is asking for trouble.  try to run only ssh v2 as
well.  if you must run telnet, make sure that users who have any sort of
high level access don't use it.

there are free ssh clients available for pretty much any platform
imaginable.... http://freessh.org/ has some good ones listed.  for 'doze
i'd recommend putty or securecrt.

if the machine is dedicated and geographically far (as you say), then i
don't know what to tell you - have your provider give you a new box with
a fresh install if possible.  i'm not sure if this runs any risks, but
you could try cvsupping your source tree and rebuilding your system
(others might have more insight into this, and possible risks of doing
so).

since you don't know for sure what they've modified or what information
is compromised, a fresh install of some sort is really important.

w

-- 
GPG Public Key:
http://infinitejazz.net/will/pgp/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message